Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Menu
#Blog

FinTech Regulation in Nepal: Legal Framework, Sandbox, Payment Systems & Compliance (2025)

October 9, 2025 Emerging Trends by admin_lawsagar
FinTech Regulation in Nepal: Legal Framework, Sandbox, Payment Systems & Compliance (2025)

Introduction

Nepal’s FinTech regulatory architecture centres on the Payment and Settlement Act (2075 / 2019) and active oversight and rule-making by Nepal Rastra Bank (NRB) through its Payment Systems Department. NRB has developed directives, system rules (RTGS, retail switches), operational oversight reports, and—crucially—has published draft Guidelines on the Regulatory Sandbox to enable supervised FinTech experimentation. Rapid growth of mobile wallets, connectIPS and other retail payment rails has made digital payments mainstream, while NRB’s policy work is balancing financial inclusion, systemic safety, AML/CFT, data protection, and innovation. Key regulatory themes for lawyers and FinTechs: licensing and classification of Payment Service Providers (PSPs), compliance with Payment & Settlement laws and NRB directives, sandbox participation requirements, data/cybersecurity standards, AML/CFT controls, and cross-border payment arrangements.

1. Why regulation matters in FinTech — the legal stakes

FinTech firms operate at the intersection of payments, banking, data, and consumer protection. In Nepal, that means any FinTech that touches payment initiation, settlement, custody of funds, or remittance must navigate a regulatory regime designed to protect monetary stability and consumers while enabling digital inclusion. Failing to classify correctly, and a startup risks enforcement actions, business shutdowns, or criminal liability under AML statutes. Conversely, a well-structured regulatory approach (including sandbox testing) can materially reduce go-to-market risk and accelerate investor confidence. This makes early legal strategy essential — not optional.

2. Legal foundation: Payment & Settlement Act and NRB’s mandate

The Payments and Settlements Act (2075 / 2019) is the statutory backbone for payment systems in Nepal. It grants NRB the authority to regulate, license and supervise payment systems and payment service providers and sets out criteria for systemic importance, settlement rules, and oversight. NRB has operationalised the Act through a sequence of rules, bylaws, system rules (RTGS), unified directives and other circulars from its Payment Systems Department. These instruments collectively define licensing criteria, operational obligations, interoperability expectations and reporting duties for PSPs and system operators. Any FinTech operating in payment clearing, switching, wallet provisioning, merchant acquiring or P2P transfer must map its activities against this framework.

Legal implications for counsel: identify the firm’s exact role (e.g., payment instrument issuer, PSP, switch operator, aggregator, remittance facilitator), then map to licensing directives and compliance obligations set by NRB. The licensing boundary is the single most consequential legal determination.

3. Payment systems & infrastructure: connectIPS, RPS, NPS, RTGS

Nepal’s modern payment rails include:

  • RTGS (Real Time Gross Settlement): for large-value settlement; rules formalised by NRB.
  • connectIPS: an interoperable retail payment platform that significantly expanded digital payment access and user adoption in recent years; it is pivotal for consumer-facing digital payments. The impact of connectIPS has been widely noted in payments literature.
  • Retail Payment Switch (RPS) / National Payment Switch (NPS): the RPS is operational for domestic retail transactions; a national payment switch is under development to broaden interoperability and reduce settlement fragmentation. NRB oversight and switching rules govern membership, routing, clearing and settlement.

Practical note: interoperability obligations can determine technical integration costs, revenue models (transaction fees), reconciliation cycles and contingency planning (e.g., in a switch outage). Ensure contracts with switch operators, PSPs, and banks have clear SLA, indemnity and dispute resolution terms.

4. Classification and licensing of FinTechs and PSPs in Nepal

NRB’s directives and circulars (and the Payment & Settlement Act) differentiate between:

  • Payment System Operators (switch operators, clearing houses),
  • Payment Service Providers (PSPs) (wallet issuers, PSPs enabling merchant acquiring, P2P transfer),
  • Account Information Service Providers and Payment Initiation Service Providers (where applicable), and
  • Systemically Important Payment Systems (SIPS), which attract stricter oversight and contingency rules.

Key legal questions to ask:

  • Do customer funds sit on the company’s balance sheet (custodial obligation)?
  • Is the FinTech performing settlement and finality functions (i.e., are you a system operator)?
  • Does the product involve foreign currency or cross-border flows (triggering FX/NRB approvals)?

Classification determines licensing, capital requirements, reserve requirements, and permitted intermediation. NRB’s Payment System Operator and PSP directives (and subsequent circulars) specify documentation, security standards, reporting cadence and reserve or escrow requirements where applicable.

5. Regulatory sandbox: what it permits, who can apply, and legal safeguards

NRB has published consultative draft Guidelines on the Regulatory Sandbox to facilitate responsible innovation: the sandbox allows authorised financial institutions and licensed/registered FinTech firms to test new products, services, technologies and business models in a controlled environment. The draft provides definitions, application criteria, eligibility (including consumer protection safeguards), and reporting obligations for sandbox participants. This instrument is central to FinTech product testing, where full compliance requirements may be tweaked under supervision.

What the sandbox typically enables:

  • Time-bounded, geographically/segment-limited tests;
  • Exemptions or waivers from certain regulatory formalities during testing (still under NRB supervision);
  • Clear exit and escalation protocols for consumer harm or systemic risk.

Practitioner’s checklist for sandbox applications: a rigorous risk assessment, consumer disclosure templates, KYC/AML mitigation protocols, contingency/rollback plans, clear performance metrics, and an exit strategy. Counsel must draft the sandbox application and the legal safeguards that will be relied upon in the testing window.

6. AML/CFT, KYC, and cross-border rules relevant to FinTechs

FinTechs are squarely within the AML/CFT scope when they handle funds or remittances. NRB-issued AML/CFT rules (in coordination with Nepal’s Financial Information Unit and other regulators) require:

  • Customer Due Diligence (CDD) / KYC procedures proportionate to risk;
  • Transaction monitoring and suspicious transaction reporting;
  • Record retention and cooperation with FIU or law enforcement on requests.

Cross-border payments trigger additional layers: foreign exchange rules, repatriation requirements, correspondent bank relationships, and bilateral arrangements (e.g., NRB-RBI MoUs or terms of reference for cross-border payment connectivity). The IFC and NRB reports note active work on cross-border integration and the legal/regulatory scaffolding required.

Lawyer’s action items: implement transaction monitoring policies; ensure audit trails and suspicious activity reporting channels; verify whether your product requires additional licensing to operate as a remittance or cross-border PSP.

7. Data protection, cybersecurity and consumer protection obligations

FinTechs are data-rich entities; regulation and good practice demand robust data governance:

  • Data protection: Nepal does not (as of these major NRB documents) have a comprehensive, operationalised data protection law like GDPR; nonetheless, sectoral guidance, NRB directives, and international best practice impose obligations for confidentiality, purpose limitation, storage limitation and lawful processing. Adopt privacy policies, data minimisation, and strong contractual protections with processors.
  • Cybersecurity: NRB’s oversight includes operational resilience — secure architecture, incident reporting, encryption standards, and contingency planning. Payment system rules (RTGS, switching guidelines) demand secure operations and disaster recovery protocols.
  • Consumer protection: disclosure of fees, clear dispute resolution avenues, refund policies, and consumer redress mechanisms must be built into product design and platform terms.

Practical counsel: prepare a Data Processing Agreement (DPA), a cybersecurity incident response plan, and consumer terms with mandatory disclosures compliant with NRB directives.

8. Practical compliance checklist for FinTech founders and counsel

Use this checklist during pre-launch and scaling:

  1. Business model and activity mapping: classify whether you are a PSP, switch, e-money issuer, remittance operator, or ancillary service. (Licensing flows from classification.)
  2. Statutory/license review: map activities against the Payment & Settlement Act and NRB directives. Obtain necessary licenses or partner with licensed institutions.
  3. Sandbox readiness (if testing): prepare application, risk mitigation, consumer disclaimers, and exit strategy per NRB sandbox guidelines.
  4. AML/CFT and KYC: implement risk-based KYC, transaction monitoring and STR reporting.
  5. Technical and operational controls: security, encryption, penetration testing, DR, and reconciliation procedures tied to RTGS/connectIPS/NPS interfaces.
  6. Contract architecture: bank/partner agreements, PSP/switch integration contracts, merchant agreements, and indemnities.
  7. Data governance: DPA, privacy policy, retention schedules, and third-party processor controls.
  8. Consumer protection and dispute resolution: clear T&Cs, consumer helpline, and escalation matrix.
  9. Insurance and contingency capital: professional indemnity, cyber insurance where available.
  10. Regulatory engagement plan: designated compliance officer, periodic reporting templates, supervisory engagement calendar.

9. Key risks, enforcement trends and dispute/penalty landscape

NRB’s enforcement emphasises systemic safety and consumer protection. Practical risks include:

  • Operating without a required license — leading to cease-and-desist orders and fines;
  • Weak AML/CFT controls — fines and criminal exposure;
  • Data breaches — reputational damage and regulatory action;
  • Interoperability disputes or settlement failures — contractual claims and potential NRB intervention.

Counsel’s focus: design layered compliance to mitigate regulatory investigations. Pre-emptive remediation reporting and cooperative engagement with NRB often reduce sanction severity.

10. Roadmap & legal recommendations — what a prudent FinTech must do

  1. Engage counsel at the product-design stage. Don’t treat compliance as an afterthought. Early legal mapping reduces rework and exposure.
  2. Use NRB’s sandbox constructively. If eligible, the sandbox reduces regulatory uncertainty for novel offerings; prepares detailed test plans and clear consumer safeguards.
  3. Partner where appropriate. Banking partners or licensed PSPs can provide regulated rails while you productize the user experience. But ensure contracts preserve control over KYC, AML screening and dispute response.
  4. Invest in compliance systems early. Transaction monitoring, logs, and audit trails scale with the user base; retrofitting is costly and risky.
  5. Plan for cross-border: regulatory approvals, correspondent banking and FX compliance — these are slow, and integration depends on bilateral regulatory coordination (e.g., NRB exchanges with RBI).

11. FAQs

Q1 — What is the primary law governing FinTech and payments in Nepal?
The Payments and Settlements Act (2075 / 2019) is the primary statute; NRB issues rules, directives and circulars to operationalise it.

Q2 — Can a FinTech company issue mobile wallets in Nepal?
Yes, but issuance and operation of e-money/wallets are regulated. A firm must satisfy NRB’s PSP / wallet issuer requirements or partner with a licensed entity. Classification depends on custody of funds and settlement responsibilities.

Q3 — What is the NRB Regulatory Sandbox, and how can my startup apply?
The sandbox is a supervised testing environment with a limited scope and time to trial innovations. NRB has published draft Guidelines; eligible applicants include authorised financial institutions and FinTech companies; the application must include risk mitigation, consumer safeguards and exit criteria.

Q4 — Does Nepal have a data protection law for FinTechs?
Nepal has emerging legislative and policy discussions on data protection, but sectoral rules and NRB directives impose practical data governance requirements. FinTechs must implement robust privacy and cybersecurity practices.

Q5 — How does connectIPS affect FinTech market entry?
connectIPS serves as a critical retail payment infrastructure enabling interoperable payments; integrating with connectIPS or RPS/NPS influences settlement flows and determines technical and contractual obligations.

12. Conclusion

FinTech regulation in Nepal is maturing rapidly. NRB has the statutory tools and the administrative intent to enable innovation while protecting systemic stability and consumers: this is evident from Payment Systems oversight, directives and the rollout of sandbox guidance. For counsel and founders, the single most important immediate tasks are correct activity classification, alignment with NRB licensing and directives, and establishing robust AML, data and operational controls — ideally prior to public launch. The sandbox offers an opportunity to test innovations under supervision, but good legal design remains the prerequisite for sustainable scale.

Related Posts
Write a comment